You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2005/04/10 03:46:18 UTC
[Bug 4252] New: Identify abnormal email volumes as possible spam flow
http://bugzilla.spamassassin.org/show_bug.cgi?id=4252
Summary: Identify abnormal email volumes as possible spam flow
Product: Spamassassin
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P5
Component: Plugins
AssignedTo: dev@spamassassin.apache.org
ReportedBy: Bob@Menschel.net
Just about all systems have predicatble email flows. There's an ebb and flow to
email, but every system has some statistical range of "usual" email counts.
When a new virus starts to spread rapidly, or a new spam service finds a
friendly smtp server, or a spammer starts doing a dictionary attack on one of
your domains, your email volume will suddenly climb outside the "usual" traffic
ranges.
Would it be useful to have a plugin which tracks inbound traffic levels, and
usually does nothing but. However, when those traffic levels exceed the
statistically valid ranges, the plugin adds to the SpamAssassin score,
preferably some value depending on just how abnormal the additional traffic is?
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4252] Identify abnormal email volumes as possible spam flow
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4252
------- Additional Comments From Bob@Menschel.net 2005-10-23 08:46 -------
That depends on the value of plugin's score. If the plugin is scored at 0.75,
then nothing will happen to emails scored 3 through 4.249, but emails scored at
4.250 or higher will suddenly hit 5.0.
The question becomes, how many ham will get pushed over the edge, and how many
spam will be pushed over the edge?
Given that rules are currently scored with no regard to email flows, simply
dropping this plugin into the system will push some ham into spam scores during
a spam flood. That's undesirable, though by the definition of "flood", it may
not impact S/O significantly.
Better would be to figure out some way to rescore rules to incorporate the
"flood" rule/plugin into the mix. I admit I don't see how to do that (yet).
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4252] Identify abnormal email volumes as possible spam flow
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4252
------- Additional Comments From spamassassin@dostech.ca 2005-10-22 04:25 -------
I can't see a way of this working Bob. What happens to all the legit messages
with scores of 3 or 4 that arrive during a period of abnormal mail flow?
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4252] Identify abnormal email volumes as possible spam flow
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4252
------- Additional Comments From felicity@apache.org 2007-01-05 16:17 -------
(In reply to comment #3)
> number of other related bits of information. This seems like a nice idea, but
> in the real world, it'd be hard to mass-check this rule!!
Actually it would be rather trivial to mass-check that kind of thing. We care
when the message was received (there's a Util function to determine this) not
what the current time is, and you can even have mass-check replay the messages
in order which we currently do for Bayes.
Note: the default nightly/weekly runs don't both running messages in order since
it doesn't matter for the current non-Bayes rules.
> Is this ticket worth keeping open? Bob admits his day job is more important
> than SA at the moment, in the future we could always reopen it?
It may be worth testing, but I have a feeling it's not going to provide a usable
ham/spam distinction.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4252] Identify abnormal email volumes as possible spam flow
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4252
------- Additional Comments From tech2@i-is.com 2007-01-05 14:56 -------
Unexpected e-mail flows happen. What say I have advertising running on Weekends
for my company and all of a sudden the number of inquiries I receive is way out
of normal range.
On the flip side, it could give average flow rates, but it would need to track
time of day, weekday, (as weekdays are busier than weekends for me), and a
number of other related bits of information. This seems like a nice idea, but
in the real world, it'd be hard to mass-check this rule!!
Is this ticket worth keeping open? Bob admits his day job is more important
than SA at the moment, in the future we could always reopen it?
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 4252] Identify abnormal email volumes as possible spam flow
Posted by bu...@bugzilla.spamassassin.org.
http://bugzilla.spamassassin.org/show_bug.cgi?id=4252
Bob@Menschel.net changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|Undefined |Future
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.